Add SEP-991 (CIMD) support for URL-based client IDs #570
+656
−30
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
T-dependencies
tanish111
changed the title
add cimd support for url-based client ids Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Add test coverage for is_https_url helper to validate HTTPS scheme, non-root paths, and reject http, javascript, data schemes, and invalid inputs per SEP-991 requirements. Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Implements a new server example (servers_cimd_auth_streamhttp) that demonstrates CIMD (Client ID Metadata Document) support for URL-based client IDs. The server validates client_id URLs, fetches and validates client metadata documents, and provides OAuth 2.0 authorization endpoints with MCP integration for end-to-end testing. Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Add CORS headers to token endpoint to allow cross-origin requests from browsers during OAuth authorization code exchange flow. Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Collaborator
|
There's a interface set_credentials , Can it already cover CIMD? |
jokemanfire
reviewed
Dec 9, 2025
- Improve is_https_url function formatting and readability - Merge all test cases into single test_is_https_url_scenarios function - Add missing test case for "https://" URL Signed-off-by: tanish111 <tanishdesai37@gmail.com>
jokemanfire
previously approved these changes
Dec 9, 2025
Collaborator
|
LGTM ,but a little grammar simplification. |
Replace the verbose match statement with map_err for more idiomatic Signed-off-by: tanish111 <tanishdesai37@gmail.com>
Contributor
Author
|
@alexhancock can you also review it? |
jokemanfire
previously approved these changes
Dec 10, 2025
alexhancock
previously approved these changes
Dec 10, 2025
| const MCP_REDIRECT_URI: &str = "http://127.0.0.1:8080/callback"; | ||
| const CALLBACK_PORT: u16 = 8080; | ||
| const CALLBACK_HTML: &str = include_str!("callback.html"); | ||
| const CLIENT_METADATA_URL: &str = "https://raw.githubusercontent.com/tanish111/cimd-local-oauth-server/refs/heads/main/client-metadata.json"; |
Collaborator
There was a problem hiding this comment.
can you put one in the rust-sdk repo itself?
Contributor
Author
There was a problem hiding this comment.
@alexhancock I have updated it with new metadata json hosted on rust-sdk repo.
Add client metadata file for SEP-991 CIMD authentication support Signed-off-by: tanish111 <tanishdesai37@gmail.com>
tanish111
dismissed stale reviews from alexhancock and jokemanfire
via
a8a5e92
alexhancock
approved these changes
Dec 10, 2025
Merged
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
Implement SEP-991: URL-based Client Registration (OAuth Client ID Metadata)
How Has This Been Tested?
cimd_auth_streamhttp.rs) implementing SEP-991: validates client_id URLs, fetches and validates client metadata documents, and enforces CIMD restrictions according to specs. This is tested against external CIMD-compliant testing tools (client.dev and example-app.com/client).Testing Results form client.dev for example server:-
Updated oauth_client.rs to support CIMD with 2 CLI arguments (server URL and client metadata URL). End-to-end flow verified:
Start the server using
cargo run --example servers_cimd_auth_streamhttpIn a seperate terminal run the client with
cargo run --example clients_oauth_client --package mcp-client-examples -- http://127.0.0.1:3000 https://raw.githubusercontent.com/tanish111/cimd-local-oauth-server/refs/heads/main/client-metadata.json. And complete the OAuth Flow.Added unit tests for the is_https_url helper covering valid HTTPS URLs, invalid schemes, root paths, and edge cases.
Breaking Changes
No
Types of changes
Checklist
Additional context
Fix issue #519